Splunk® Enterprise

Search Tutorial

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Use the search language

The searches you have run to this point have retrieved events from your Splunk index. You were limited to asking questions that could only be answered by the number of events returned.

For example, in the last topic, you ran this search to see how many simulation games were purchased:

sourcetype=access_* status=200 action=purchase categoryId=simulation

To find this number for the days of the previous week, you have to run it against the data for each day of that week. To see which products are more popular than the other, you have to run the search for each of the eight categoryId values and compare the results.

Learn with search assistant

In the "Start searching" topic, you were introduced to the search assistant. This section explains in more detail one of the ways you can use the search assistant to learn about the Splunk Enterprise search processing language and how to construct searches.

1. Return to the search dashboard and restrict your search to Yesterday:

sourcetype=access_* status=200 action=purchase

As you type in the search bar, search assistant opens with syntax and usage information for the search command (on the right side). If search assistant doesn't open, click the down arrow under the left side of the search bar.

You've seen before that search assistant displays typeahead for keywords that you type into the search bar. It also explains briefly how to search.

2. Type a pipe character, " | ", into the search bar.

The pipe indicates to Splunk that you're about to use a command, and that you want to use the results of the search to the left of the pipe as the input to this command. You can pass the results of one command into another command in a series, or pipeline, of search commands.

Tutorial search assistant nextcommands.png

You want Splunk to give you the most popular items bought at the online store.

3. Under common next commands, click top.

Splunk Enterprise appends the top command to your search string.

According to search assistant's description and usage examples, the top command "displays the most common values of a field."

4. Either click the categoryId field in the list or type it into the search bar to complete your search:

sourcetype=access_* status=200 action=purchase | top categoryId

This populates the Statistics tab.

View reports in the Statistics tab

The results of a search are reports. The top command returns a tabulated report for the most common values of categoryIdd. Because top is a transforming command, this report appears in the Statistics tab.

Tutorial top category statistics.png

You see that strategy games are the most popular item in the online store.

The top command also returns two new fields: count is the number of times each value of the field occurs, and percent is how large that count is compared to the total count. Read more about the top command in the Search reference manual.

View and format reports in the Visualization tab

View the report in the Visualization tab. By default, the Visualizations tab opens with a Column Chart.

Tutorial top category columnchart.png

If you click on the visualization type selector, you can see that Column, Bar, and Pie charts are recommended for this data set. Select Pie chart:

Tutorial select piechart visualization.png

Now, you report should look like this:

Tutorial top visualization piechart.png

You can turn on drilldown to delve deeper into the details of the information presented to you in the tables and charts that result from your search.

If you mouse over each slice of the pie, you will see the count and percentage values for each categoryId. Click on a slice, such as "Strategy".

Tutorial top visualization piechart mouseover.png

This runs a new search, specifically for categoryId=strategy.

sourcetype=access_* status=200 action=purchase categoryId=strategy

Read more about drilldown actions in the Splunk Data Visualizations Manual.

Next steps

Go to the next topic to learn about correlating events with subsearches.

Use fields to search
Use a subsearch

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1.13, 6.1.14

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters